After using the XorHack for a while I realised it was missing some things so I decided it was time for an update. New syscalls have been added to give finer control over data access, now providing 8, 16, 32 and 64 bit reads and writes. Also some new ioctls were added to provide additional useful functions for your userland code. Lastly new userland applications were added which now give the ability to read, write and execute memory from the command line

I finally found the time to complete the PS3 exploit toolkit software I mentioned to in my previous posts. I call it XorHack. It allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program. It also lets you run the software required when triggering the PS3 exploit from a normal userspace program. To give an example of how it can be used I have included the following example programs:

ps3exploit – Runs the software required to exploit the ps3, it loops a number of times which can be specified as a parameter. (This still must be used along with the “button pressing”, it will not exploit the PS3 via software alone).

I haven’t gotten around to doing an update in a while due to work (and a little relaxation) taking all my time. Rather than wait till I have finished all of the stuff I wanted to before posting again I decided to post some tidbits to tide you over until the rest is ready. Before I do so I’d like to make the following clear as no matter how many times I say it, people believe what they want to believe instead:

THIS PS3 EXPLOIT WILL NOT ENABLE PLAYING OF COPIED OR BACKED UP GAMES. THE EXPLOIT IS FOR RESEARCH PURPOSES ONLY. Continue reading →

This post will deal with the hardware required to trigger the PS3 hypervisor memory access exploit. The purpose of the hardware is to stop the PS3 from saving a change to a value that we don’t want changed. The PS3 saves this changed value by writing the value to RAM. Therefore in order to stop it from saving the changed value we need to stop this write from occurring.

The PS3 sends the write command to the RAM over some control lines, so we interfere with these control lines when the write command is sent. The result we want is having the PS3 think it has successfully written the value to RAM, but the RAM didn’t receive the write command due to our interference and so it did not perform the write operation. Continue reading →

As I’m sure everybody heard, the memory access exploit for the PS3 hypervisor was released recently by geohotz. I was finally able to replicate his hack so I thought I’d take the time to help out others who may also have trouble due to being linux n00bs like me If I were to post everything at once it would be too much work and I’d never get around to it, so I’ll post bits at a time to ensure I actually do post it heh. Today’s post will talk about the software side of the exploit.

Please note that the geohotz exploit software was hardcoded for the v2.42 firmware, I have made a small fix that attempts to dynamically support all firmware versions. I have only tested and used it on v3.15 however.

As more special PPC instructions are stumbled across, support for them gets added to the plugin. I know I could go through an exhaustive list of all instructions and add them all, but for now I am content with adding them a few at a time 😛

Also added support for the SystemSim “callthru” instruction (should this even be used outside of a simulator?) and lastly an instruction that I cannot find any information about. The hex value is 0x02002000 so for now I have added this instruction as opcode_02002000 so that it will at least disassemble to code and can therefore be treated as code. If anyone knows what this instruction is please let me know

This is useful when disassembling Xbox360 and PS3 binaries in IDA as they utilise these special instructions that are not supported by IDAs built in PPC disassembler module.

I have done some fixes to instructions that were previously handled incorrectly, as well as adding support for some new instructions. I also fixed an issue where instruction sizes were being reported incorrectly resulting in an incorrect disassembly.

I’ve been busy digging into the PS3 lately, I decided it’s finally time to see what secrets can be extracted from it. During my investigations I found that level-1 syscalls, a.k.a. hypercalls, are not handled by IDA so I decided to add support for it to the existing PPC Altivec plugin. Continue reading →

I’ve finally gotten around to finishing my SelfTool for manipulating Self and Sprx files. Self files are like exe files for the PS3 and Sprx files are like dll files for the PS3.

Among other things, SelfTool can be used to print out information stored in the file in a readable format to make studying them easier.

NOTE: This DOES NOT enable booting of copied games in any way. It also does not support decrypting or encrypting of self/sprx files. It is really only useful for those who are interested in looking a bit deeper at self/sprx files.